Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-113 (HTTP头部中CRLF序列转义处理不恰当(HTTP响应分割)) — Vulnerability Class 55

55 vulnerabilities classified as CWE-113 (HTTP头部中CRLF序列转义处理不恰当(HTTP响应分割)). AI Chinese analysis included.

CWE-113 represents a critical input validation weakness where software fails to properly sanitize carriage return and line feed characters within user-supplied data before embedding it into HTTP headers. Attackers typically exploit this vulnerability by injecting malicious CRLF sequences, effectively splitting the HTTP response to inject arbitrary headers or body content. This technique, known as HTTP Response Splitting, can facilitate session hijacking, cross-site scripting, or cache poisoning attacks by manipulating downstream proxies or browsers. To mitigate this risk, developers must rigorously validate and neutralize all incoming data, specifically filtering out or encoding CR and LF characters before they are processed for header construction. Implementing strict input validation libraries and adhering to secure coding standards ensures that untrusted data cannot alter the structure of HTTP messages, thereby preserving the integrity of the communication channel and preventing malicious header injection.

MITRE CWE Description
The product receives data from an HTTP agent/component (e.g., web server, proxy, browser, etc.), but it does not neutralize or incorrectly neutralizes CR and LF characters before the data is included in outgoing HTTP headers. HTTP agents or components may include a web server, load balancer, reverse proxy, web caching proxy, application firewall, web browser, etc. Regardless of the role, they are expected to maintain coherent, consistent HTTP communication state across all components. However, including unexpected data in an HTTP header allows an attacker to specify the entirety of the HTTP message that is rendered by the client HTTP agent (e.g., web browser) or back-end HTTP agent (e.g., web server), whether the message is part of a request or a response. When an HTTP request contains unexpected CR and LF characters, the server may respond with an output stream that is interpreted as "splitting" the stream into two different HTTP messages instead of one. CR is carriage return, also given by %0d or \r, and LF is line feed, also given by %0a or \n. In addition to CR and LF characters, other valid/RFC compliant special characters and unique character encodings can be utilized, such as HT (horizontal tab, also given by %09 or \t) and SP (space, also given as + sign or %20). These types of unvalidated and unexpected data in HTTP message headers allow an attacker to control the second "split" message to mount attacks such as server-side request forgery, cross-site scripting, and …
Common Consequences (1)
Integrity, Access ControlModify Application Data, Gain Privileges or Assume Identity
CR and LF characters in an HTTP header may give attackers control of the remaining headers and body of the message that the application intends to send/receive, as well as allowing them to create additional messages entirely under their control.
Mitigations (4)
ImplementationConstruct HTTP headers very carefully, avoiding the use of non-validated input data.
ImplementationAssume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. If an input does not strictly conform to specifications, reject it or transform it into something that conforms. When performing input validation, consider all potentially relevant properties, including length, type of input, the full r…
ImplementationUse and specify an output encoding that can be handled by the downstream component that is reading the output. Common encodings include ISO-8859-1, UTF-7, and UTF-8. When an encoding is not specified, a downstream component may choose a different encoding, either by assuming a default encoding or automatically inferring which encoding is being used, which can be erroneous. When the encodings are i…
ImplementationInputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.
Examples (2)
The following code segment reads the name of the author of a weblog entry, author, from an HTTP request and sets it in a cookie header of an HTTP response.
String author = request.getParameter(AUTHOR_PARAM); ... Cookie cookie = new Cookie("author", author); cookie.setMaxAge(cookieExpiration); response.addCookie(cookie);
Bad · Java
HTTP/1.1 200 OK ... Set-Cookie: author=Jane Smith ...
Result
An attacker can make a single request to a vulnerable server that will cause the server to create two responses, the second of which may be misinterpreted as a response to a different request, possibly one made by another user sharing the same TCP connection with the server.
CVE IDTitleCVSSSeverityPublished
CVE-2023-26137 Drogon 环境问题漏洞 — drogonframework/drogon 7.2 High2023-07-06
CVE-2023-34472 AMI MegaRAC 安全漏洞 — MegaRAC_SPx 5.7 Medium2023-07-05
CVE-2023-0508 Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') in GitLab — GitLab 3.1 Low2023-06-07
CVE-2023-32708 HTTP Response Splitting via the ‘rest’ SPL Command — Splunk Enterprise 7.2 High2023-06-01
CVE-2022-42472 Fortinet FortiOS 注入漏洞 — FortiProxy 4.0 Medium2023-02-16
CVE-2019-25101 OnShift TurboGears HTTP Header controllers.py response splitting — TurboGears 6.3 Medium2023-02-04
CVE-2022-37436 Apache HTTP Server: mod_proxy prior to 2.4.55 allows a backend to trigger HTTP response splitting — Apache HTTP Server 7.5 -2023-01-17
CVE-2022-42471 Fortinet FortiWeb 注入漏洞 — FortiWeb 5.3 Medium2023-01-03
CVE-2022-20772 多款Cisco产品注入漏洞 — Cisco Secure Email 4.7 Medium2022-11-03
CVE-2022-3215 swift-nio-http2 注入漏洞 — SwiftNIO 5.3 -2022-09-28
CVE-2022-37953 WorkstationST - Response Splitting in AM Gateway Challenge-Response — WorkstationST 4.7 Medium2022-08-25
CVE-2021-40336 HTTP Response Splitting in Hitachi Energy’s MSM Product — MSM 5.0 Medium2022-07-25
CVE-2021-0268 Junos OS: J-Web has an Improper Neutralization of CRLF Sequences in its HTTP Headers which allows an attacker to carry out multiple types of attacks. — Junos OS 8.8 High2021-04-22
CVE-2020-3117 Cisco Web Security Appliance and Cisco Content Security Management Appliance HTTP Header Injection Vulnerability — Cisco Web Security Appliance (WSA) 4.7 -2020-09-23
CVE-2020-10753 Red Hat Ceph 注入漏洞 — Red Hat Ceph Storage 5.4 Medium2020-06-26
CVE-2020-5249 HTTP Response Splitting (Early Hints) in Puma — Puma 6.5 Medium2020-03-02
CVE-2020-5247 HTTP Response Splitting in Puma — Puma 6.5 Medium2020-02-28
CVE-2020-5216 Limited header injection when using dynamic overrides with user input in RubyGems secure_headers — secure_headers 4.4 Medium2020-01-23
CVE-2019-16771 Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting') in Armeria — Armeria 4.8 Medium2019-12-06
CVE-2019-15259 Cisco Unified Contact Center Express HTTP Response Splitting Vulnerability — Cisco Unified Contact Center Express 4.7 -2019-10-02
CVE-2018-13814 Siemens SIMATIC Panels和SIMATIC WinCC 代码注入漏洞 — SIMATIC HMI Comfort Panels 4" - 22", SIMATIC HMI Comfort Outdoor Panels 7" & 15", SIMATIC HMI KTP Mobile Panels KTP400F, KTP700, KTP700F, KTP900 und KTP900F, SIMATIC WinCC Runtime Advanced, SIMATIC WinCC Runtime Professional, SIMATIC WinCC (TIA Portal), SIMATIC HMI Classic Devices (TP/MP/OP/MP Mobile Panel) 9.1 -2018-12-13
CVE-2017-7528 Red Hat CloudForms Management Engine 安全漏洞 — Ansible Tower 7.4 -2018-08-22
CVE-2018-1067 Red Hat Undertow 安全漏洞 — undertow 8.2 -2018-05-21
CVE-2017-12308 多款Cisco产品Cisco Small Business Managed Switches software 安全漏洞 — Cisco Small Business 300 and 500 Series Managed Switches 6.1 -2018-01-18
CVE-2017-12309 Cisco Email Security Appliance 安全漏洞 — Cisco Email Security Appliance 5.8 -2017-11-16

Vulnerabilities classified as CWE-113 (HTTP头部中CRLF序列转义处理不恰当(HTTP响应分割)) represent 55 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.